I managed to successfully complete the OAuth flow and gain access token for the user. The OAuth is on a separate server & identity provider (OpenID Connect).
Now, I need to add middleware to check that the user is authenticated throughout his session in the application.
Any idea/directions on how I can manage this? Quite lost.
Seems like Pathfix does exactly what you are looking for. It is a Serverless OAuth Middleware, If you want to try it out. Might save you a whole lot of time setting up and deploying a middleware.
Disclaimer: I am part of the Pathfix Team :)
Related
Im trying to find some best practices on how to solve my problem.
I have a microservice application with oauth2 and firebase for authentication and authorization.
Our application needs to connect to a 3rd party rest api which is secured with oauth2 as well.
Is it possible to integrate both implementations or do i need to make my own solution?
One of my co-workers implemented the authorization-code flow needed to access the api and we basicly store access and refresh_tokens in the database to access this 3rd party api. But it doesn't feel right, i cant find any best practices either, can anyone help me out?
What your co-worker implemented is pretty typical: separating out the authentication and authorization for your own application (which you manage with Firebase) from your users authorizing your use of the 3rd party API.
Here are some best practices you should be following when implementing your OAuth flow:
Use the state parameter to avoid CSRF attacks. Store it in your database and compare the callback state with the one that you randomly generated for the user
Encrypt access and refresh tokens. Refresh tokens in particular provide long-lived access
Verify that the scope you asked for is the scope that was returned: some providers allow users to adjust the permissions, which can lead to unexpected errors
Make sure your refresh tokens don't expire. Check with the provider's docs to see how refresh tokens are deauthorized. Some are time-based, some are based on new refresh tokens being issued, but in any case, make sure your refresh token stays valid, as if it is not, you must get the user to re-authorize your application
You can also use a managed OAuth provider to abstract away all these elements. Xkit, which I work on, integrates with Firebase Authentication so your users can authorize your app, and you can retrieve each user's tokens with one API call.
I used the code at https://github.com/oktadeveloper/okta-spring-boot-saml-example to understand how to use Okta for SSO. We are using SAML. My question is how to detect if the session is still valid and if not, redirect the user to the Okta log in page.
I tried using HttpSession but I did not know how to link it to Okta.
If someone can give me a few pointers as to where to start, I would appreciate it.
Thanks
The short and best answer is no.
You can use Javascript on the browser to see if the User still has a live session with Okta using this:
https://developer.okta.com/docs/reference/api/sessions/#get-current-session
There is a way using the Sessions API to authenticate a User, and then check to make sure the session is still valid, but managing the state creates more headaches than it's worth. I would not suggest doing this.
If you are using Oauth 2.0, then it's easier, you can just redirect the User to Okta and perform a re-authorize more easily, plus Oauth 2.0 tells you when the token was minted.
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I'm new to Laravel.
I already have an API that authenticates users and creates a JWT token for it. Now in my new app, I want to outsource authentication and authorization to this API.
this new app acts like a front-end for the API, and API handles the logic of app.
I'm not completely familiar with this type of architecture, but I think it's a 3-layer architecture that has been divided physically.
the main problem for me is to handle authentication of users and how to turn the stateless logic of API into a web app.
Should I create a custom auth provider?
How? could you provide an example!
thanks to everyone,
But the final solution was Creating a middleware that handles authentication. for example, the middleware authenticates user through a form and saves the JWT token on a session.
this easy step solved my all problems.
I think what you're looking for is creating a custom guard. See docs here.
I'm writing a web application that reads my personal calendar data, crunches stats, and then spits them out for the world to see. I don't need an authorization flow. Is it possible to leverage the Google APIs without going through a user sign-in flow? In other words, I want my personal Google account permanently and securely signed in to my server without the risk of my token invalidating or having to re-auth.
Right now I'm signing myself in with an offline token, then uploading the authorization file onto my server, basically spoofing the server that I already auth'd. Is there not a cleaner way?
I've spent hours reading through the API docs and Auth docs, but haven't found and answer. If there is a page I've missed, please point me to it!
PS. I'm using the Calendars API through Python/Flask on Heroku, but that shouldn't matter.
An alternative approach is using a service account while sharing your calendar with that service account. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
So, you want to be remembered.
If you want to dispose of any kind of authenticacion but yet the user needs to be recognized you should be using a cookie.
On the server side that cookie should be used to select the offline token.
Of course, without that cookie the user needs to be authenticated in any way. I would make them reauth by Google so you get a new offline token.
Hope that it helps.